Skip to content

Commit

Permalink
Fix post contentHtml sometimes breaking script parsing
Browse files Browse the repository at this point in the history 
<\/script> tags in post content would sometimes be recognized as
actually ending the script tag, even when escaped (not exactly sure
why). This is fixed by encoding the < > characters in unicode.
  • Loading branch information
@tobyzerner
tobyzerner committed Oct 5, 2017
1 parent 19d15d4 commit ea4d889
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion views/app.blade.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@
if (module.default) module.default(app);
}
app.boot({!! json_encode($payload) !!});
app.boot({!! json_encode($payload, JSON_HEX_TAG) !!});
@if (! $debug)
} catch (e) {
window.location += (window.location.search ? '&' : '?') + 'nojs=1';
Expand Down

3 comments on commit ea4d889

@franzliedke
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I know, this is not quite enough. See this Laravel PR.

Once we upgrade to Laravel 5.5, we can use the @json directive that should - by then - be safe, I hope. :)

@tobyzerner
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you sure the extra options are necessary though? HTML parsers ignore everything within <script> tags except for </script>, so I would think just encoding < and > is sufficient.

@tobyzerner
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I suppose encoding the other characters would be necessary if outputting JSON outside the context of a <script> tag (eg. an attribute value). Good job :)

Please sign in to comment.